语境
我在我们的主站点和新的备份站点之间建立了 2 个 ASA-5515 之间的 VPN 连接。这是为了替换我们的旧备份站点,该站点当前使用 Racoon 在 ASA-5515(主站点)和 FreeBDS 之间连接。
问题
2 个 ASA-5515 之间的文件传输速度是 ASA-5515 与 FreeBDS 连接之间的连接速度的一半。
期望
我的期望是速度应该与旧备份站点位于法国和新备份站点位于我们主站点所在的英国的速度相同,甚至更好。
调查
我在进行一些磁盘 R/W 测试时已将文件从一台服务器传输到另一台服务器,并已排除这与磁盘 R/W 速度问题有关。
我还针对新旧备份站点执行了此测试:
root@main_site_server:# dd if=/dev/zero bs=1M count=10240 | ssh server@backup 'cat > /dev/null'
(https://www.commandlinefu.com/commands/view/5799/test-network-speed-without-wasting-disk)
transfer from primary_site to new_backup_site
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 351.285 s, 30.6 MB/s
transfer from primary_site to old_backup_site
0240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 189.332 s, 56.7 MB/s
我的怀疑可能在于站点到站点 VPN 的配置方式。
站点到站点配置之间的唯一区别是,其中一个备份站点配置了 NAT 豁免,并在 SAL 下配置了无限流量(与 4608000 相对),并且在 SAL 中的优先级为 7(相对于 5)。它的密码映射条目。
问题
我的问题是您是否希望这些设置中的任何一个对传输速度产生如此大的影响?
技术的
所有服务器都通过以下 Cisco 交换机型号 ws-c2960x-48ts-l 连接
配置(这些已经尽可能地清理了)
主站点路由器配置 (Cisco ASA-5515)
ASA Version 9.8(2)
!
interface GigabitEthernet0/0
description Link to redstation
nameif outside
security-level 0
ip address <maindatacenter_external_ip> standby <main_site_secondary_ip>
!
interface GigabitEthernet0/1
description prodsw - internal
nameif inside
security-level 100
ip address <maindatacenter_gateway_ip> standby <main_site_secondary_gateway_ip>
!
interface GigabitEthernet0/2
description prodsw - dmz
nameif dmz
security-level 50
ip address <maindatacenter_dmz_gateway_ip> standby <main_site_dmz_secondary_gateway_ip>
!
boot system disk0:/asa982-smp-k8.bin
!
object network network_internal
subnet <main_site_internal_network>
!
object network <old_backup_internal>
subnet <old_backup_internal_network>
!
object network <new_backup_internal>
subnet <new_backup_internal_network>
object network NETWORK_OBJ_<main_site_internal_network>
subnet <main_site_internal_network>
object network <new_backup_external>
host <new_backup_external_ip>
!
group-object hostgroup_connect
network-object object <old_backup_internal>
network-object object <new_backup_internal>
!
object-group network hostgroup_ike_peers
network-object object <new_backup_external>
!
access-list outside_cryptomap_1 extended permit ip object network_internal object <old_backup_internal>
!
access-list outside_cryptomap_4 extended permit ip object network_internal object <new_backup_internal>
!
access-list inside_access_in extended permit ip any any
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (dmz,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static network_internal network_internal destination static <new_backup_internal> <new_backup_internal>
!
access-group outside_access_in in interface outside control-plane
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
!
route outside 0.0.0.0 0.0.0.0 <main_site_external_ip> 1
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
!
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer <old_backup_external_ip>
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map outside_map 7 match address outside_cryptomap_4
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer <new_backup_external_ip>
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime kilobytes unlimited
!
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint6
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
error-recovery disable
!
tunnel-group <old_backup_external_ip> type ipsec-l2l
tunnel-group <old_backup_external_ip> general-attributes
default-group-policy GroupPolicy_Backup
tunnel-group <old_backup_external_ip> ipsec-attributes
ikev1 pre-shared-key
!
tunnel-group <new_backup_external_ip> type ipsec-l2l
tunnel-group <new_backup_external_ip> general-attributes
default-group-policy GroupPolicy_<new_backup_external_ip>
tunnel-group <new_backup_external_ip> ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
: end
新的备份路由器配置 (Cisco ASA-5515)
Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(1)
!
interface GigabitEthernet0/0
description LINK TO WAN
nameif outside
security-level 0
ip address <newbackup_external_ip>
!
interface GigabitEthernet0/1
description LINK TO LAN
nameif inside
security-level 100
ip address <newbackup_gateway_ip>
!
ftp mode passive
!
object network my-inside-net
subnet <newbackup_internal_network>
object network <maindatacenter_internal_network>
subnet <maindatacenter_internal_network>
object network <maindatacenter_external_ip>
host <maindatacenter_external_ip>
object network NETWORK_OBJ_<newbackup_internal_network>
subnet <newbackup_internal_network>
object network <oldbackup_internal_network>
subnet <oldbackup_internal_network>
object network <oldbackup_external_ip>
host <oldbackup_external_ip>
object-group service 4500 udp
description port 4500 adsm
port-object eq 4500
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
access-list OUTSIDE-IN extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list OUTSIDE-IN extended permit ip any any
access-list outside_cryptomap_1 extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network>
access-list inside_access_in extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network>
access-list inside_access_in extended permit ip <newbackup_internal_network> object <oldbackup_internal_network>
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> <newbackup_internal_network>
access-list inside_access_in extended permit ip object <oldbackup_internal_network> <newbackup_internal_network>
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> object my-inside-net
access-list inside_access_in extended permit icmp any object <maindatacenter_internal_network> object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list global_access extended permit ip object <maindatacenter_internal_network> interface inside
access-list outside_access_in extended permit udp object <maindatacenter_external_ip> any eq isakmp
access-list outside_access_in extended permit udp object <oldbackup_external_ip> any eq isakmp
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip <newbackup_internal_network> object <oldbackup_internal_network>
!
mtu outside 1500
mtu inside 1500
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
!
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <maindatacenter_internal_network> <maindatacenter_internal_network> no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <oldbackup_internal_network> <oldbackup_internal_network> no-proxy-arp route-lookup
!
object network my-inside-net
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside control-plane
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 <newbackup_external_ip> 1
!
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer <maindatacenter_external_ip>
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer <oldbackup_external_ip>
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_<oldbackup_external_ip> internal
group-policy GroupPolicy_<oldbackup_external_ip> attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_<maindatacenter_external_ip> internal
group-policy GroupPolicy_<maindatacenter_external_ip> attributes
vpn-tunnel-protocol ikev1
!
tunnel-group <maindatacenter_external_ip> type ipsec-l2l
tunnel-group <maindatacenter_external_ip> general-attributes
default-group-policy GroupPolicy_<maindatacenter_external_ip>
tunnel-group <maindatacenter_external_ip> ipsec-attributes
ikev1 pre-shared-key
tunnel-group <oldbackup_external_ip> type ipsec-l2l
tunnel-group <oldbackup_external_ip> general-attributes
default-group-policy GroupPolicy_<oldbackup_external_ip>
tunnel-group <oldbackup_external_ip> ipsec-attributes
ikev1 pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
: end
旧的备份路由器配置 (FreeBSD/Racoon)
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timers
{
counter 5;
interval 20 sec;
persend 1;
phase1 24 hour;
phase2 3600 sec;
}
listen
{
isakmp <old_backup_external_ip> [500];
isakmp_natt <old_backup_external_ip> [4500];
}
remote <main_site_external_ip> [500]
{
exchange_mode main;
situation identity_only;
my_identifier address <old_backup_external_ip>;
peers_identifier address <main_site_external_ip>;
lifetime time 24 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 24 hour;
dh_group 2;
}
}
sainfo (address <old_backup_internal_network> any address <primary_site_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo (address <old_backup_internal_network> any address <internal_network_range> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
remote <new_backup_external_ip> [500]
{
exchange_mode main;
situation identity_only;
my_identifier address <old_backup_external_ip>;
peers_identifier address <new_backup_external_ip>;
lifetime time 24 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 24 hour;
dh_group 2;
}
}
sainfo (address <old_backup_internal_network>/24 any address <new_backup_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo (address <new_backup_internal_network>/24 any address <old_backup_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}